Lately, I have been hearing a lot about people creating an ELK stack (Elasticsearch, Logstash and Kibana) for log analysis. I have seen some really good/cool ideas on how to incorporate this stack in a “business” type environment, but nothing for my home network. To be honest, I spend most of my time on large business networks that I try my best to keep my home network as small as possible (go figure). But I do love security and have Security Onion (http://blog.securityonion.net/) monitoring my overall network infrastructure. After giving it some thought, I thought it would be a great idea to give BRO IDS a GUI front-end. This would be my new adventure to get ELK working with Bro in the Security Onion distribution. Here is how I got it rolling:

After having a fresh install of Security Onion (I will be using version 12.04.5.1), you will want to perform an update and some initial tasks with elevated privileges. Simply do:

Next, you will want to edit the file: /etc/elasticsearch/elasticsearch.yml and add the following two lines.

network.host: WEBSERVER_IP_ADDRESS

script.disable_dynamic: true

Restart and make sure Elasticsearch is running properly. If ElasticSearch is running as expected, make sure you alter the INIT scripts to start it on boot.

service elasticsearch restart

service elasticsearch status

update-rc.d elasticsearch defaults 95 10

All of the instructions that I have seen online, suggests that you should set up a NGINX server to configure Kibana. I may be wrong in thinking this, but since Security Onion already has Apache running, I decided to configure a Virtual Container for Kabana in Apache2. It is interesting how Kibana interacts with ElasticSearch and I wanted Kibana to run over SSL. In order to do so, I first had to enable proxy_http within Apache2. Trust me, it will make sense soon!

Now, that Kibana is successfully located in the Apache2 /var/www directory, let’s configure Kibana. You will need to edit /var/www/kibana/config.js to tell Kibana to find ElasticSearch over port 8080 via HTTPS. You will need to change this line:

We are almost done with the webserver part; just a couple more tasks to complete. Now, I am going to create an Apache virtual container for Kibana. The file will be located: /etc/apache2/sites-enabled/kibana

“Kibana” File Contents:NOTE: Please modify the following line to point to your webserver ip address:

Now for the part that is bugging me. It appears that ElasticSearch simply hates UFW (Uncomplicated FireWall). I have tried allowing ports, 8080 and 9200-9400, but I am still having issues. As a result, I performed the following commands:

Whenever I start a penetration test, I will gather as much data as I can about the target. When I want to use Social Engineering as an attack vector, I typically like to use spear phishing techniques. In order to help me out, I created a simple python script that will spider a website(s) and will extract any email that it comes across.

Exit out of the device and try to log into it with the new credentials.

10) Update your device..

apt-get update && apt-get upgrade

11) Now that your base system has been created, let’s start installing the necessary software. First, install MYSQL.

apt-get install mysql-server

12) Next, you will need to install Apache. Please do the following:

apt-get install apache2

13) Install PHP

apt-get install php5

14) Install snort-mysql:

apt-get install snort-mysql

15) Now that all of that software is installed, we will need to bridge the two “usb to ethernet” adaptors so that SNORT will listen on that address. First, you will need this installed. apt-get install bridge-utils

16) Let’s set up the bridge.
First, let’s issue the following commands:

brctl addbr br0 ip addr show brctl addif br0 eth1 eth2

Now, edit the file: /etc/network/interfaces, it should look like this: auto lo br0

iface lo inet loopback iface eth0 inet dhcp

iface eth1 inet manual iface eth2 inet manual

iface br0 inet dhcp bridge_ports eth1 eth2

17) You will now need to reconfigure snort-mysql. dpkg-reconfigure -plow snort-mysql